'Mega' Data Breaches Cost Companies a Staggering Fortune, IBM Study Finds

Illustration for article titled 'Mega' Data Breaches Cost Companies a Staggering Fortune, IBM Study Finds
Photo: Getty

IBM Security on Wednesday released its latest report examining the costs and impact associated with data breaches. The findings paint a grim portrait of what the clean up is like for companies whose data becomes exposed—particularly for larger corporations that suffer so-called “mega breaches,” a costly exposure involving potentially tens of millions of private records.


According to the IBM study, while the average cost of a data breach globally hovers just under $4 million—a 6.4 percent increase over the past year—costs associated with so-called mega breaches (an Equifax or Target, for example) can reach into the hundreds of millions of dollars. The average cost of a breach involving 1 million records is estimated at around $40 million, while those involving 50 million records or more can skyrocket up to $350 million in damages.

Of the 11 mega breaches examined by IBM, 10 were a result of criminal attacks.

The average amount of time that passes before a major company notices a data breach is pretty atrocious. According to IBM, mega breaches typically go unnoticed for roughly a year.

Loss of business remains one of the largest expenses in the wake of a high-profile breach. Companies that have suffered breaches involving 50 million stolen records or more can expect to lose up to $118 million in business—a third of the cost associated with the incident.

Other key findings of the study include:

  • The average time to identify a data breach is 197 days, and the average time to contain a data breach once identified is 69 days.
  • Companies that contained a breach in less than 30 days saved over $1 million compared to those that took more than 30 days ($3.09 million vs. $4.25 million average total).
  • Each lost or stolen record costs roughly $148 on average, but having an incident response team (surprising, not every company does) can reduce the cost per record by as much as $14.
  • The use of an AI platform for cybersecurity reduced the cost by $8 per lost or stolen record.
  • Companies that indicated a “rush to notify” had a higher cost by $5 per lost or stolen record.
  • U.S. companies experienced the highest average cost of a breach at $7.91 million, followed by firms the Middle East at $5.31 million.
  • Lowest total cost of a breach was $1.24 million in Brazil, followed by $1.77 million in India.

In the United States, costs associated with loss of business after a data breach are actually higher than the total cost of dealing with a data breach globally, and “more than double the amount of ‘lost business costs’ compared to any other region surveyed.”

There are many hidden costs associated with data breaches, said Wendi Whitmore, global lead at IBM X-Force, the company’s renowned security research division, including reputational damage, customer turnover, and operational costs.


“Knowing where the costs lie, and how to reduce them, can help companies invest their resources more strategically and lower the huge financial risks at stake,” Whitmore said.

Download the full 2018 Cost of a Data Breach Study here.


Senior Reporter, Privacy & Security



Somehow, a breach costing a business ~$40 per customer seems like it’s actually pretty low when compared with the amount of damage it can cause to an individual customer.

Target had $72 billion in revenue last year, so even a $350m cost, while significant, isn’t massive. Plus, Target benefited from collecting the data for years, in terms of being able to use it to generate analytics, making transactions easier, thereby generating more business - so if you’re doing a “risk reward” calculation, you have to factor in all the money Target made from having the data, even if they didn’t secure it properly.

Even if the data isn’t used by a hacker, a breach frequently involves a lot of action on the customer’s part - cancelling cards, changing passwords, setting up credit monitoring - and goes way higher if someone actually tries using the data.